Sunday, February 9, 2014

Late Friday afternoon, we learned that Judge Breslin of the NY Supreme Court dismissed the lawsuit to prevent the NY State Education Department from uploading personal student data to inBloom, which in turn plans to share this information to vendors without parental consent. The judge's decision is nonsensical in many ways, as he didn't show how the state's disclosure of personal student data to inBloom was either necessary or specifically authorized by law, as the Personal Privacy Protection Law requires. Instead, his decision exhibits slipshod and circular reasoning.

Despite the chorus of inBloom supporters and others on the Gates payroll who pounced on this decision with glee, the Court did not make any independent judgments on the educational value or security of this information. Instead, the judge pointed out an exception in the PPPL: that such disclosure can be made "to those who contract
with, the agency that maintains the record if such disclosure is necessary
to the performance of their official duties pursuant to a purpose of
the agency required to be accomplished by statute or executive order
or necessary to operate a program specifically authorized by law."

However, the State did not prove that such disclosure to the contractor, in this case inBloom, was indeed"necessary to the performance of their official duties" or "necessary to operate a program specifically authorized by law" -- so I'm really not sure how the Judge came to this conclusion, and it seems to be based upon a very slippery argument.

Moreover, according to the experts that we've spoken to, the contractor would itself be bound by the PPPL law and thus required to protect privacy to the same extent as the State Education Department. This means that inBloom could not redisclose any personal data to vendors, including the dashboard providers, without parental consent.

The only real discussion of this issue by the judge in his decision is on p. 15, where he says that the "determination...to utilize a third party vendor to design and effectuate the portal and the dashboard systems" was "not unlawful" as it was made to "carry out the duties of the agency which is promote and further the educational process and supervise all public schools."

So that the disclosure to a contractor, namely inBloom, is allowed "inasmuch as disclosure is necessary to the performance of respondents' official duties." Because SED says it is done to carry out its "duties," therefore it is "necessary" and the PPPL does not apply? Why have a law that restricts the actions of state agencies to disclose personal information unless it is "necessary," and then defer blindly to the agency whenever it claims that such disclosure is needed to perform its duties?How do we know that disclosing this data to inBloom is unnecessary? No
other state is providing its student data to inBloom, even states that received considerable Race
to the Top funds. No other state is outsourcing its entire student
longitudinal record system to a private corporation, as far as we know.
The vast majority of New York school board members have opposed the disclosure of this
inforrmation to inBloom, as does nearly every Superintendent who has
spoken out on this issue.

The state itself says it will not upload the data to the inBloom cloud until at least April, because of contractor delay, and that it will take two months after that until the dashboards are fully operable, which means that it will be at least June until they are working.

Ken Wagner's affidavit adds the salient fact that in "September 2014, the State's RTTT funding ends if we are unable to obtain an extension...At that point NYSED's rols as subsidizing and serving as a marketplace for...dashboard services will end and inBloom must delete all the data that we have given them."

NYSED also admits that even if they do get an extension, inBloom will start charging for its services in January 2015 -- and that they may have no budget to pay for it when it does. At that point as well, districts would have to pay separately for the dashboards, and none have so far said that they intend to do so.

So that at most, there would be four months during the school year -- September to December 2014, and possibly even less time -- when the dashboards populated from the inBloom cloud would be operational. Is uploading the most sensitive information of every public school student in the state onto a data cloud a rational decision, so that dashboards may operate for four months at most? Is it really necessary for the performance of SED's official duties? This shows how absurd, arbitrary and reckless this determination of Commissioner King--and Judge Breslin's rubberstamp opinion -- really is.

As we pointed out, the state had violated several other provisions of the Personal Privacy Law,including never having submitted a privacy impact statement in over thirty years, which is required by law. This privacy impact statement is supposed to provide details as to what personal data every state agency are collecting and which of this data are being provided to third parties, under what legal justification,. NYSED also never appointed a privacy officer, as the law calls for as well. Finally, the SED never established any rules governing the retention or disposal of the data supplied to inBloom, which also violates the PPPL .

The Judge did not disagree, but the fact that Ken Wagner, (who I guess by default is SED's privacy officer!) did finally submit a privacy impact statement in December in response to our lawsuit, no matter how incredibly inadequate and late the statement is, seems to have satisfied him. (See Wagner's laughably incomplete statement and the accompanying spreadsheet, especially vague as to who the state may decide to share this information with and under what authority and conditions.)

The Judge also noted that Wagner finally provided information in hisstatement as to the disposal and destruction of this information. Wagner now says that inBloom will be required to destroy all the data when students graduate from high school, but that all of their personal data will be then transferred to the State archives for at least eight years following graduation,with uncertain restrictions on access and an indefinite time line for disposal-- which in itself seems to violate the strict conditions laid out in the PPPL.

Never mind. We will continue fighting for laws, namely A.6059A, passed unanimously by the Assembly last session and now introduced in Senate S.5932, that would put strict limits on the state's ability to share any personal information with third parties, and would prohibit any vendor from redisclosing such information to third parties without parental consent, as inBloom plans to do.

As the leaders of both parties have come out
strongly against the state’s plan to share such sensitive student information with inBloom, I believe that they will never allow the Commissioner
to go ahead with this unwarranted and massive violation of student privacy.